(dev-v2.6-archive) Merge pull request #537 from paynejacob/feature/logging-crd-breakout

added crd annotations for logging

(partially cherry picked from commit 8dc1928d82)
pull/1680/head
Jacob Payne 2020-08-11 13:20:26 -07:00 committed by Arvind Iyengar
parent 41b77cb8e0
commit 56bc2e6fc0
No known key found for this signature in database
GPG Key ID: A8DD9BFD6C811498
8 changed files with 1161 additions and 266 deletions

View File

@ -0,0 +1,17 @@
# Changelog
All notable changes from the upstream OPA Gatekeeper chart will be added to this file
## [Package Version 00] - 2020-07-27
### Added
- Enabled the CRD chart generator in `package.yaml`
### Modified
- Updated namespace to `cattle-gatekeeper-system`
- Updated `rancher/istio-kubectl` image to `1.5.8`
- Updated for Helm 3 compatibility
- Moved crds to `crds` directory
- Removed `crd-install` hooks and templates from crds
### Removed
- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation
- Removed unnecessary `index.yaml` as we package and host our charts

View File

@ -0,0 +1,35 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sallowedrepos
spec:
crd:
spec:
names:
kind: K8sAllowedRepos
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
repos:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sallowedrepos
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}
violation[{"msg": msg}] {
container := input.review.object.spec.initContainers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}

View File

@ -0,0 +1,19 @@
apiVersion: batch/v1
kind: Job
metadata:
namespace: {{ .Release.Namespace }}
name: gatekeeper-delete-constraints-crd-job
annotations:
"helm.sh/hook": "pre-delete"
"helm.sh/hook-delete-policy": "hook-succeeded, before-hook-creation, hook-failed"
spec:
template:
spec:
serviceAccountName: gatekeeper-admin
containers:
- name: gatekeeper-delete-constraints-crd
image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
command: ["kubectl", "delete", "constrainttemplates", "--all"]
restartPolicy: Never
backoffLimit: 1

View File

@ -0,0 +1,57 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
message:
type: string
labels:
type: array
items:
type: object
properties:
key:
type: string
allowedRegex:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
get_message(parameters, _default) = msg {
not parameters.message
msg := _default
}
get_message(parameters, _default) = msg {
msg := parameters.message
}
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_].key}
missing := required - provided
count(missing) > 0
def_msg := sprintf("you must provide labels: %v", [missing])
msg := get_message(input.parameters, def_msg)
}
violation[{"msg": msg}] {
value := input.review.object.metadata.labels[key]
expected := input.parameters.labels[_]
expected.key == key
# do not match if allowedRegex is not defined, or is an empty string
expected.allowedRegex != ""
not re_match(expected.allowedRegex, value)
def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
msg := get_message(input.parameters, def_msg)
}

View File

@ -1,4 +1,7 @@
url: https://github.com/open-policy-agent/gatekeeper.git url: https://github.com/open-policy-agent/gatekeeper.git
subdirectory: chart/gatekeeper-operator subdirectory: charts/gatekeeper
type: git type: git
commit: 478aa0e193909a301cc7461f0f8c078d652e70fb commit: 9a8051ac8fa3dc407056ed0293a0d97210386115
generateCRDChart:
enabled: true
providesGVR: configs.config.gatekeeper.sh/v1alpha1

File diff suppressed because it is too large Load Diff

View File

@ -1,19 +0,0 @@
{{- if .Values.additionalLoggingSources.rke1.enabled }}
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
name: {{ .Release.Name }}-rke
namespace: {{ .Release.Namespace }}
labels: {{ include "logging-operator.labels" . | indent 4 }}
spec:
controlNamespace: {{ .Release.Namespace }}
fluentbit:
inputTail:
Tag: "rke"
Path: "/rke/*.log"
extraVolumeMounts:
- source: "/var/lib/rancher/rke/log"
destination: "/rke"
readOnly: true
fluentd: {}
{{- end }}

View File

@ -1,7 +1,7 @@
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/Chart.yaml packages/rancher-logging/charts/Chart.yaml diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/Chart.yaml packages/rancher-logging/charts/Chart.yaml
--- packages/rancher-logging/charts-original/Chart.yaml --- packages/rancher-logging/charts-original/Chart.yaml
+++ packages/rancher-logging/charts/Chart.yaml +++ packages/rancher-logging/charts/Chart.yaml
@@ -1,5 +1,11 @@ @@ -1,5 +1,15 @@
apiVersion: v1 apiVersion: v1
appVersion: 3.4.0 appVersion: 3.4.0
-description: A Helm chart to install Banzai Cloud logging-operator -description: A Helm chart to install Banzai Cloud logging-operator
@ -15,6 +15,10 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/Chart.
+ catalog.cattle.io/namespace: cattle-logging-system + catalog.cattle.io/namespace: cattle-logging-system
+ catalog.cattle.io/release-name: rancher-logging + catalog.cattle.io/release-name: rancher-logging
+ catalog.cattle.io/ui-component: logging + catalog.cattle.io/ui-component: logging
+
+ catalog.cattle.io/requires-gvr: logging.banzaicloud.io/v1beta1
+ catalog.cattle.io/auto-install-gvr: logging.banzaicloud.io/v1beta1
+ catalog.cattle.io/provides-gvr: logging.banzaicloud.io/v1beta1
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values.yaml packages/rancher-logging/charts/values.yaml diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values.yaml packages/rancher-logging/charts/values.yaml
--- packages/rancher-logging/charts-original/values.yaml --- packages/rancher-logging/charts-original/values.yaml
+++ packages/rancher-logging/charts/values.yaml +++ packages/rancher-logging/charts/values.yaml
@ -27,7 +31,7 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
resources: {} resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious # We usually recommend not to specify default resources and to leave this as a conscious
@@ -76,4 +76,48 @@ @@ -76,4 +76,44 @@
monitoring: monitoring:
# Create a Prometheus Operator ServiceMonitor object # Create a Prometheus Operator ServiceMonitor object
serviceMonitor: serviceMonitor:
@ -74,7 +78,4 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
+ address: "" + address: ""
+ cluster: true + cluster: true
+ root_ca: "" + root_ca: ""
+ \ No newline at end of file
+additionalLoggingSources:
+ rke1:
+ enabled: false